Mac boot ROM virus is real

What are the symptoms of this particular infestation?

If you've erased the entire disk and reloaded OS X from a known-good download, and have not reloaded any files nor applications from the corrupt environment, then there's another path — maybe the network, and via compromised credentials — or there's a problem with one or more of the lower-level firmware-based devices somewhere within the system.

If the minimal OS X system installation — network disconnected, no external devices, etc — is showing a breach after the typical recovery processing, then you will want to contact Apple Support and request assistance from them, or — if they're not interested — you might seek assistance from folks that specialize in security as they might want to get a look at this system and at the USB device involved. If  is not, then maybe communicate this breach among the reputable parts of the security community, and with a clear statement of the exact problems and with the exact details of what steps were (unsuccessfully) performed to try to remediate this, and with details such as the boot ROM and SMC versions included.

FWIW, multiple-pass erasure is not particularly effective with SSDs — SSDs don't work the same way that hard disks do — and is not going to be particularly better than one-pass erasure in this particular case, as this isn't an issue of avoiding data remanence in the storage devices. Multi-pass erasure addresses only data remanence — which is not at issue, here — and only with specific classes of storage devices.

.ellelle wrote:

MY guess is your in the same boat as me. SIP is disabled in the starup disk and there is NOONE who can help! I have 4 very expensive door stops.

This reply is related to this thread, apparently. Please post the output of Etrecheck over there, as was requested.

MY guess is your in the same boat as me. SIP is disabled in the starup disk and there is NOONE who can help! I have 4 very expensive door stops.

lsof is a command that can list open files and open network channels, and is not particularly related to with the non-volatile storage used for the system firmware, nor for the device firmware. When OS X or some other Unix system is running, there'll be more than a few channels open, too.

If you want to discuss those files you're seeing, then we'll need to know the specific commands used, and a brief sample of some of the files and particularly the directories that are visible. So long as OS X is booted, I'd expect those files and channels shown by lsof to be the booted operating system, too.

The following will list the devices present, and the second command will — when provided with the name of a disk device, with the complete name being /dev/disk0 or /dev/disk1, for instance — show the GPT partitioning structures for the device. This obviously assumes the disk is GPT partitioned. Most OS X boot disks are.

$ diskutil list

$ sudo gpt list /dev/disk{unit}

Depending on the exact commands used to erase the disks and the specific disk configuration — specific details matter here — you could well be looking at the UEFI partition or the recovery partition. That's not the system firmware.

The Internet recovery mechanisms do involve more than a few files, as does a local boot from an external bootable USB device — the latter is fairly common for erasing devices, but it's the other disks that get erased and not the local (usually external) boot device that's being used to perform the erasure.

Without the sequences and commands used to erase and install here, I'm left to guess as to what happened here. I don't know which Mac is involved here, either — some of these have internet recovery and which can sometimes be useful here, and some do not.

If the whole disk was erased and reformatted, there should be nothing on the system — beyond the pieces and parts associated with the file system structures — that was not then installed.

In general, boot from a locally-created USB boot disk, preferably created on a separate system, and using a new-to-you or new-to-the-target-system (ad disposable) USB device. Boot and use that to access the problematic disk.

If you want to know where you are currently defaulted to within the file system, use the pwd command.

Use the cd command to change the default.

EfiLoginUI is part of OS X.

Finding a .DS_Store file in various directories is expected, after a user of Finder has visited the directory.

The . and .. files (directories) are normal.

If the current default directory is /, then the ./Library path is not recursive.

With the ls command, the -a switch shows leading-dot "hidden" files, if the current user is not root or not sudo — where it's the default on ls.

The /etc/mach_init.d and /etc/mach_init_per_user.d directories are associated with some long-deprecated startup customization processing. That'd be worth a look, and compare that with what's present on a known-good system. (But again, a complete disk erasure — not a partition-level erasure — should remove all directories and all files on the target disk. You'll need that USB boot disk mentioned above, here.)

Get somebody to look at this box. Trying to do any sort of forensics via forum postings is far more time and effort. I'd probably image the whole disk somewhere to start; to create a complete copy of the whole disk. Then get somebody to look at it, as well as at at the USB device that reportedly was involved here. Or if you want to pursue this investigation yourself, there is an OS X internals book and at least one book on file system forensics does include some OS X file system info, and you can start reading. If you are unfamiliar with the general topic, Apple has a shell scripting primer available, too.

Contact Apple. Further discussions here will not be fruitful, as there's no documented user-level access to the firmware.

If Apple is not interested — a lack of interest here seems rather unlikely, based on your description — then selling this box does seem possible — there are folks that will be interested in this box, and in that USB device.

Without details such as the commands used, it's not likely that I can provide further assistance here. Whether this is malware, or might be the existing hidden partitions and executables expected on EFI-based systems and with OS X configurations, I don't know.

Was the OS X release that has this current issue downloaded directly from Apple's OS X App Store, or purchased/obtained on a pre-made USB stick from an untrusted source?

Mr. Hoffman's advice about contacting Apple, either Support, or through the nearest Apple Store seems the next practical step.

You can also replace the mother board to get a new Boot Rom.